After the Cyber Attack on Lockheed Martin, What's the Future of RSA SecurID?

The recent cyber attacks on Lockheed Martin and other large defense contractors have many security experts worried, particularly because the attack relied on a vulnerability in RSA's SecurID, the current gold standard in computer security. If SecurID is seriously flawed, then what comes next?

Up until late last week, 40 million users regarded RSA's SecurID tokens as the computer security gold standard. The system consists of a small fob that generates a new code every 30 seconds, to be used in conjunction with a personal password; it creates a seemingly unhackable two-step authentication system for someone seeking remote access to a computer network. Defense companies doing top-secret business with the Pentagon and the intelligence community trust SecurID to keep their secrets. But the blockbuster revelation that defense giant Lockheed Martin was hacked via a vulnerability in the RSA token has lead many to question whether today's gold standard is already yesterday's technology.

Paul Rosenzweig, a former deputy assistant secretary for policy at the Department of Homeland Security and now a Carnegie Fellow at Northwestern's Medill School of Journalism, is among them. "RSA is the [uber]-encryption company, and the science behind its algorithm remains the most robust in the world," he says. "But [the hacking] demonstrated once again that key security is more important than encryption technology: No matter how strong your key is, if you write it down and put it underneath your computer, you're in trouble."

It's not as though RSA hid the key under the mat, Rosenzweig says, but it does appear the company's algorithm that generates the ever-changing keys, known as a "seed," was more vulnerable than thought. It's believed—though not yet confirmed—that the recent attempted hacks to Lockheed Martin (and now other defense companies) could be tied to a leak that RSA suffered in March.

At the time, the company admitted that its network had been hacked and key data purloined. It notified its customers but did not take any concrete steps with respect to the tokens or make concrete recommendations, Rosenzweig says. "RSA can technologically fix the problem and generate a new set of ensure encryption keys," he says, "but will people believe their keys are safe from the threat?"

Indeed, RSA's response to its own leak drew the ire of some other security professionals, such as Harry Sverdlove, CTO of Bit9, an endpoint security company based in Waltham, Mass. "It was a little bit of motherhood and apple pie," he says. "If an automobile company found a flaw [in its product], it might issue a recall and reissue parts. That's not what happened here."

Jeffrey Carr, a computer security consultant and CEO of Taia Global, has been even more critical of RSA. He calls the company's timeline "impossibly brief," and argues that EMC (RSA's parent company) was probably under attack for longer than it admits. "EMC's customers, particularly its Department of Defense customers, should be demanding answers from [RSA president] Art Coviello and the EMC board of directors right about now," he writes on his blog. Asked what the breach, and its fallout, will ultimately mean for RSA and its tokens, Carr has a simple reply: "They're screwed."

Is there a fix for SecurID? Sverdlove says that simply adding more layers of passwords won't work: A network could require 20 passwords or it could require 50, but if somebody is able to put a piece of malware on your computer that logs key strokes, they will have access to your system. The solution is likely to come from multiple methods of authentication, such as smart cards or biometric identification. "It has to be something other than what you type," he says.

However, no system is perfect. Even fingerprints that could be used for on-site access could be duplicated, he says—and while you can change a password if it's stolen, you can't change your fingerprints.

A Part of Hearst Digital Media
Popular Mechanics participates in various affiliate marketing programs, which means we may get paid commissions on editorially chosen products purchased through our links to retailer sites.